by David D’Agostino, VP of Operations
People, process and technology, when optimized together, are the three keys to improved IT security. To take it a step further, a successful security program is not one with an end-state, but rather one that is approached as a continuous, orchestrated journey. Over time following a path will lead to success. If Rome wasn’t built in a day, and has never halted the modifications, then neither can your security program.
In today’s security state, the steps and path should include implementing basic security procedures, tools and repeatable processes that work together to ultimately report key insights that measure and track the processes to show improved security.
Start with the basics.
Cybercriminals capitalize on low hanging fruit. They attack the organizations that fail to prioritize known security vulnerabilities and updates. The following are five fundamental steps organizations can take to vastly improve security.
- Patching Cadence: Patching is critical to protect from attackers taking advantage of known vulnerabilities. Validate and enforce regular patching of endpoints, severs and gateway appliances. Develop a process using a patching tool to automate this to the endpoint. Create reports and KPI’s around the number of needed, missed patches. Create a strategy to enforce these patches to devices off the network. Assess the risk of non-compliant devices.
- Password Policy: This is a very easy one to implement once an organization culturally shifts priority to security over convenience. Account Takeover Attacks (ATO) have become widespread and extremely lucrative for cybercriminals. Contrary to the past suggestions, the latest recommendation from NIST states that over complicated passwords often result in counterproductive behavior. For example, users writing them down or publicly posting them to their PC or monitor negates the added security. The latest guidelines can be found here.
- Multi-Factor Authentication (MFA): For the password policy to be most effective multi-factor authentication should be set up across an entire enterprise, not just select groups. It is important to choose a method that will provide convenience for users while still delivering the security required. There are several authentication methods to choose from such as hardware token, soft token. SMS/text, email, phone call. Learn more from our MFA blog.
- End User Awareness Training: Advancements in social engineering tactics make it more difficult for the end user to identify fraudulent messages. Utilize base line testing to develop a starting point, and then train users through various techniques. Go beyond just a training course with simulated phishing attacks. Measure the results against the baseline to continuously improve security.
- Vulnerability Scanning: Run regular internal and external vulnerability scans. Brite recommends conducting both on a weekly basis. Review the findings and assign proper remediation. Develop KPI’s and KRI’s (Key Risk Indicators) to show the average number of medium and high vulnerabilities, how long vulnerabilities take to remediate and how many were remediated over a time period.
But remember, a tool is only part of the solution.
With the constant state of never-ending alerts, it’s understandably easy to become overwhelmed with where to start when reducing risk within an organization. While the steps above are a good start, often IT professionals seek additional tools to remedy issues. Unfortunately, a tool is only part of the solution. There is no “magic bullet” to save you. You have to embrace the process and make it part of your culture to achieve a desired outcome.
Ensuring long-term improvement and success.
Ultimately the tool should be used to measure and demonstrate a continued improvement and increased security posture. The following insights help to measure improvements:
Define KPI’s: Show how the business is performing based on goals and objectives set by the organization’s leadership, Show trending over time
KRI’s: Understand the risk based on the current state and the future desired state. These should be based on established standards and contain severity and probability of occurring.
KCI’s: Understand the controls that are in place and how effectively they are at meeting the desired objective.
Remember, Rome, the once ancient city, has continued to strategically build new alongside the old to preserve what made it great and ensure the continued success of the city. The same concept holds with your security strategy. Strategic management, evaluation and improvements will lead to a longstanding, secure organization. Start the continuous journey today.